目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-252 未加检查的返回值 类漏洞列表 63

CWE-252 未加检查的返回值 类弱点 63 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-252 属于未检查返回值漏洞,指程序忽略函数或方法的返回状态,导致无法识别异常条件。攻击者常通过构造输入迫使函数失败,利用开发者“调用必成功”的错误假设,使程序进入非预期状态或执行错误逻辑。开发者应在每次调用可能失败的函数后,严格验证返回值,确保仅在成功时继续执行后续逻辑,从而提升系统鲁棒性。

MITRE CWE 官方描述
CWE:CWE-252 Unchecked Return Value(未检查返回值) 英文:The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. 译文:产品未检查方法或函数的返回值,这可能导致其无法检测到意外状态和条件。 Two common programmer assumptions are "this function call can never fail" and "it doesn't matter if this function call fails". If an attacker can force the function to fail or otherwise return a value that is not expected, then the subsequent program logic could lead to a vulnerability, because the product is not in a state that the programmer assumes. For example, if the program calls a function to drop privileges but does not check the return code to ensure that privileges were successfully dropped, then the program will continue to operate with the higher privileges. 译文:程序员常见的两种假设是“此函数调用绝不会失败”以及“此函数调用失败也无所谓”。如果攻击者能够强制函数失败,或以非预期方式返回一个值,那么后续的程序逻辑可能会导致漏洞,因为产品并未处于程序员所假设的状态。例如,如果程序调用一个函数来降低权限,但未检查返回码以确保权限已成功降低,则程序将继续以较高权限运行。
常见影响 (1)
Availability, IntegrityUnexpected State, DoS: Crash, Exit, or Restart
An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors.
缓解措施 (4)
ImplementationCheck the results of all functions that return a value and verify that the value is expected.
Effectiveness: High
ImplementationFor any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
ImplementationEnsure that you account for all possible return values from the function.
ImplementationWhen designing a function, make sure you return a value or throw an exception in case of an error.
代码示例 (2)
Consider the following code segment:
char buf[10], cp_buf[10]; fgets(buf, 10, stdin); strcpy(cp_buf, buf);
Bad · C
In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed:
int returnChunkSize(void *) { /* if chunk info is valid, return the size of usable memory, * else, return -1 to indicate an error */ ... } int main() { ... memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1)); ... }
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2020-17533 Apache Accumulo 安全漏洞 — Apache Accumulo 8.1 -2020-12-29
CVE-2020-6152 Accusoft ImageGear 缓冲区错误漏洞 — Accusoft 8.8 -2020-09-01
CVE-2018-14622 libtirpc 安全漏洞 — libtirpc 7.5 -2018-08-30

CWE-252(未加检查的返回值) 是常见的弱点类别,本平台收录该类弱点关联的 63 条 CVE 漏洞。